I would like help for Freeradius integration on AD domain
ID 72 with timestamp +87
Ready to process requests.
#by eddy: trying authenticating: radiust...@ulssve.lan with CHAP
encryption
rad_recv: Access-Request packet from host 172.30.100.2 port 54247, id=15,
length=157
User-Name = radiust...@ulssve.lan
CHAP-Challenge = 0xd4ab0707d4ab0707d4ab0707d4ab0707
CHAP-Password = 0x0057dc83b55c66b3ae5f6442d8c52f2d89
NAS-IP-Address = 172.30.100.2
NAS-Identifier = GGSN-RM5
Called-Station-Id = ulss12ve.tim.it
Framed-Protocol = GPRS-PDP-Context
Service-Type = Framed-User
NAS-Port-Type = Virtual
Calling-Station-Id = 393666140176
3GPP-PDP-Type = 0
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[IPASS] No '/' in User-Name = radiust...@ulssve.lan, looking up realm NULL
[IPASS] Found realm NULL
[IPASS] Adding Stripped-User-Name = radiust...@ulssve.lan
[IPASS] Adding Realm = NULL
[IPASS] Authentication realm is LOCAL.
++[IPASS] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by radiust...@ulssve.lan with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -
radiust...@ulssve.lan
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 15 to 172.30.100.2 port 54247
Waking up in 4.9 seconds.
Cleaning up request 3 ID 15 with timestamp +119
Ready to process requests.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/I-would-like-help-for-Freeradius-integration-on-AD-domain-tp4441969p4441969.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I would like help for Freeradius integration on AD domain
edgardolenza wrote: -the client radius sends authentication requests to the freeradius (using CHAP) -freeradius has to ask to AD if the user can be authenticated This is impossible. http://deployingradius.com/documents/protocols/compatibility.html See the NT Hash column. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I would like help for Freeradius integration on AD domain
Hi Alan, Is this a STANDARD? Excuse me but I'm not expert on this things. Have you got suggestions on how to implement this? Isn't it possible to create a copy of the AD's users on a local Database? Do you know if there ara other solutions? Thank you very much. Eddy PS: I've also tried with PAP, I'll send the debug info soon, but the problem is the same. -- View this message in context: http://freeradius.1045715.n5.nabble.com/I-would-like-help-for-Freeradius-integration-on-AD-domain-tp4441969p4442061.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I would like help for Freeradius integration on AD domain
edgardolenza wrote: Is this a STANDARD? I have no idea what you mean by that. Excuse me but I'm not expert on this things. What's so hard about reading that web page? Have you got suggestions on how to implement this? What part of impossible is unclear? Isn't it possible to create a copy of the AD's users on a local Database? Go ask Microsoft. The answer will likely be no. Do you know if there ara other solutions? Do you know the definition of impossible? PS: I've also tried with PAP, I'll send the debug info soon, but the problem is the same. Yes. You've butchered your configuration so that it doesn't work. Don't do that. See man radiusd for reasons why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I would like help for Freeradius integration on AD domain
On 31/05/11 14:39, edgardolenza wrote:
Hello everybody,
Hello
I apologize because I'm new with linux and freeradius also.
I've readen many forums and many howtos but I've got some trouble with user
authentication on domain controller.
This is my working layout:
-I've got an appliance (radius client) getting authentication requests from
users.
-the client radius sends authentication requests to the freeradius (using
CHAP)
-freeradius has to ask to AD if the user can be authenticated
If you want to use AD, you'll be needing to use MSCHAPv2, realistically.
Most likely inside PEAP, as this is what the MS supplicants use.
Others may also play with EAP-TTLS, but from what I've seen dealing with
802.1x stuff here, it's nearly always MS-CHAPv2 on the inside (although
there are sometimes others available as well)
I've configured many things and I've done many tests: freeradius server
seems working correctly.
The machine is in Microsoft domain, I'm able to make queries on ADs.
When I try to authenticate with domain's I've got problems: I've put the
debug on bottom of this message.
You need to make sure the freeradius server is joined to the domain
(therefore Samba must be installed). Also, you'll need winbindd running.
*snip*
Module: Instantiating module mschap from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = /user/bin/ntlm_auth --request-nt-key
--username=radiustest
}
Obviously you'll be wanting to fix the ntlm_auth line as well.
Hope this helps.
--
Martin GoldstoneKeele University, Keele,
IT Systems AdministratorStaffordshire, United Kingdom, ST5 5BG
Finance ITTelephone: +44 1782 734457
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
